Changes to the Breach Notification Risk Assessment Under the HIPAA Megarule

By Clinton R. Mikel, The Health Law Partners, P.C., Southfield, MI

With last week’s release of the much anticipated “HIPAA Megarule,”1 the OCR2 has weighed in on the most discussed and controversial standards in the breach notification regulations mandated by the HITECH Act (the “Breach Rule”).

By way of brief background, the Breach Rule requires covered entities to disclose to both patients and the government when there are specific kinds of security breaches involving an unauthorized use or disclosure of unsecured patient information. In August 24, 2009, the OCR published interim final regulations implementing the HITECH Act’s Breach Rule (the “IFR”).3 Since the publication of the IFR, stakeholders have eagerly speculated as to what, if any, changes would be made to the IFR’s “risk of harm” standard.

The HIPAA Megarule’s final iteration of the Breach Rule largely leaves the IFR intact, including leaving the three enumerated exclusions from the Breach definition in place.4 As such, this article does not provide an overall discussion of the Breach Rule issues,5 which have already been thoroughly addressed in other ABA Publications.6

As anticipated, however, the two primary changes that the HIPAA Megarule made to the Breach Rule were both flashy and related to the “risk of harm standard”. These changes have been billed in many publications as some of the “headline” changes to old-HIPAA. Upon a closer review, however, the changes made to the Breach Rules do not appear to be as extensive as has been initially reported. The remainder of this article is dedicated to examining these two primary changes.

Presumption of Breach

First, and possibly most importantly, the HIPAA Megarule established that there is a presumption that any unauthorized use or disclosure of Unsecured Protected Health Information (“PHI”) is a “Breach”. Specifically, the HIPAA Megarule states that:

[Except for certain specifically enumerated Breach exclusions left intact from the IFR], an acquisition, access, use, or disclosure of protected health information in a manner not permitted under… [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probabilitythat the protected health information has been compromised based on a risk assessment… (Emphasis Added).

Prior to publication of the HIPAA Megarule, there were interpretations that a violation of the Privacy Rules did not presumptively equate to a Breach. Further, given the exceptions to the Breach Rule in the IFR, and the IFR’s definition of what it means to “compromise [] the security or privacy of the protected health information”, there was some level of confusion as to the burden of proof when assessing whether a Breach requiring notification had occurred. With the HIPAA Megarule, the OCR has effectively quashed this interpretation, consistent with 45 C.F.R. § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.

Removal/Replacement of Harm Standard

Second, the HIPAA Megarule purports to remove the “harm standard” that was found in the IFR, and replaced its “subjectivity” with a more “objective” standard of whether the PHI has been “compromised”. By way of brief background, the HITECH Act and the IFR both provided in their definition of Breach that the violation of the Privacy Rule had to “compromise [] the privacy or security” of the PHI. In the IFR, the OCR had, in turn, by regulation defined “compromise[] the privacy or security” of the Unsecured PHI to mean a violation that “ poses a significant risk of financial, reputational, or other harm to the individual”. Though the comments received by the OCR in response to the IFR indicated that the “harm” standard was broadly supported by the healthcare industry and some members of Congress,7 it has been widely reported that certain consumer advocacy groups and some allied-Congress members opposed the same.8 In the HIPAA Megarule, the OCR discussed this in the history of the harm standard, and appeared to sympathize with the consumer advocacy groups to the limited extent that it believes that the IFR’s harm standard “was too subjective” and “could be construed and implemented in manners [they] had not intended.”9

Thus, in the HIPAA Megarule, the OCR: (i) added the Breach “presumption”, discussed above; (ii) eliminated the IFR’s “harm” standard by removing the IFR’s definition of “compromise[] the privacy or security” (leaving this language now undefined); and (iii) added what the OCR describes as a more “objective” risk assessment focused, to some extent, less on the harm to the patient, but more on whether the PHI itself was “compromised”.

The HIPAA Megarule describes the process for conducting the “objective” risk assessment as to whether the “information has been compromised”, as follows:

“[A Breach has occurred and is reportable,] unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.” (Emphasis Added).10

It is clear, however, in the OCR’s HIPAA Megarule commentary, that: (a) none of the “risk assessment” factors as to whether the “information has been compromised” are necessarily definitive, and the entire factual situation must be evaluated to determine the risk level;11 (b) the new “objective” risk analysis still involves a great deal of subjectivity;12 and (c) arguably, the new “objective” risk analysis is not materially different from the risk analysis that health lawyers have become accustomed to under the IFR (e.g., the maligned “harm standard”). This last point, though potentially controversial, is best illustrated by the OCR’s commentary. For instance, in the HIPAA Megarule:

The OCR notes initially that the HIPAA Megarule’s risk assessment factors “are derived from the factors listed in the IFR as well as many of the factors suggested by commenters” – the IFR’s risk assessment factors, of course, were set forth primarily in the context of interpreting the “harm” standard. Without exhaustively cataloging the overlap, the OCR’s commentary regarding the new “objective” and enumerated risk assessment standards bears out the similarity to the IFR commentary discussing the “harm” standard;

The OCR notes that “although we have included this risk assessment in the final rule, this type of assessment of risk should not be a new or different exercise for covered entities and business associates. Similar assessments of risk that data have been compromised must be performed routinely following security breaches and to comply with certain State breach notification laws”;13 and

In assessing its first enumerated risk assessment factor (the nature of the PHI used or disclosed), the OCR states: “to assess this factor, entities should consider the type of protected health information involved in the impermissible use or disclosure, such as whether the disclosure involved information that is of a more sensitive nature.”14 The OCR then goes on to list sensitive financial information, social security numbers, sexually transmitted disease information, mental health information, substance abuse information, and detailed clinical information as being of a “more sensitive nature”. In perhaps the coup d'état, the OCR then states that “considering the type of protected health information involved in the impermissible use or disclosure will help entities determine the probability that the protected health information could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests.”15 It is hard to interpret this in any manner other than incorporating some level of a harm standard similar to that found in the IFR.

On the Breach-continuum of “notify versus don’t notify”, it is safe to assert that the HIPAA Megarule has shifted the needle towards “notify,” primarily in that it: (i) establishes the presumption of a Breach occurring; and (ii) requires that, in order to not classify as a Breach and not be required to notify, that the risk assessment reflect “ a low probability that the protected health information has been compromised.” It remains to be seen how, in practice, the OCR will enforce the HIPAA Megarule’s changes to the Breach Rule. At present, however, it appears that the HIPAA Megarule’s iteration of the Breach Rule is not materially different from the IFR and its harm standard. At worst, it appears that the new Breach Rule is a modest and incremental tightening of the rules which covered entities have dealt with for the past three years.16

Interested parties should continue to monitor developments. In the HIPAA Megarule, the OCR promised to issue additional guidance to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios. It is possible that the OCR will use such future guidance to influence the risk assessment process, either strengthening, loosening, or continuing to maintain the status quo as to the Breach/notification determination.

Regardless, in the interim, when assessing a Breach situation, covered entities and business associates should scrupulously document and weigh both: (i) the various factors set forth in the HIPAA Megarule’s risk assessment; and (ii) the risk of harm factors as set forth in the IFR and discussed in the commentary therein. It is the author’s opinion that, for most situations, the outcome as to determining whether there has been a Breach, which in turn requires notification, will be the same. In any event, the exercise will be informative for situations where the outcomes vary, and given the structure and parameters set forth in the HIPAA Megarule, the OCR has indicated that the factors one would assess under the IFR very much have validity under the Megarule.

Clinton Mikel is a Partner at The Health Law Partners, P.C., in Southfield, MI, and is licensed to practice in both Michigan and California. He is the Vice-Chair of the ABA Health Law Section’s eHealth, Privacy & Security Interest Group, and is a graduate of Cornell University and the University of Michigan Law School.

Mr. Mikel has practiced in almost all areas of healthcare law but has focused his practice on compliance with federal and state health care regulations and transactional matters. Mr. Mikel specializes in HIPAA and state privacy laws, state and federal telehealth/telemedicine issues, federal and state self-referral laws, including Stark, federal and state anti-kickback laws, and information technology issues.

1

See U.S. Department of Health and Human Services, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (January 25, 2013), available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf , which amends the Health Insurance Portability and Accountability Act (“HIPAA”), as mandated by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

See also 45 C.F.R. §§ 164.400-414, on pages 52-56 of the ABA’s Free Redline of the Final HIPAA Megarule, available to Health Law Section members for free at this link.

2

U.S. Department of Health & Human Services, Office for Civil Rights (the “OCR”).

3

74 Fed. Reg. 42740 (August 24, 2009).

4

See 45 C.F.R. § 164.402. The definition of “Breach” specifically excludes situations involving “Unsecured Protected Health Information”, and also the following enumerated categories:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part [the Privacy Rule].

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part [the Privacy Rule].

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information…

(Emphasis Added).

5

Note, however, that there are still several pages of regulatory commentary regarding the untouched requirements of the IFR that will provide attorneys with valuable insight for interpreting the Breach Rule. In particular, the OCR “clarifies” provisions of the Breach Rule, including:

When a breach is “discovered”;

Timeliness and methods of notification;

Content of the breach notice;

How covered entities acting as business associates should respond to a breach;

That every Breach of any size carries with it the potential for OCR enforcement and penalties, both for the Breach and for the Privacy Rule violation, as well as by possibly triggering further scrutiny for the provider.

See 78 Fed. Reg. 5566, pp. 5640-5641 (January 25, 2013). As the OCR notes, out of 70 comments it received in response to the IFR that weighed in on the “harm standard”, 60 of the comments it received were supportive of the harm standard in the IFR, whereas only 10 comments it received were critical of the same. Proponents of the harm standard, according to the OCR, included “providers, health plans, professional associations, and certain members of Congress”; critics included “members of Congress and consumer advocacy groups.”

8

The OCR notes in the HIPAA Megarule commentary that opponents of the harm standard argued that the IFR set too high a bar for triggering breach notification, which was contrary to statutory intent, and that to best protect privacy individuals should be aware of all impermissible uses and disclosures of their health information regardless of the potential risk. This school of thought holds that transparency would better breed consumer trust and would allow individuals to assess the risk of harm themselves and take necessary measures to mitigate an impermissible use or disclosure of their PHI. Further, harm standard critics felt that it was improper for covered entities to have a level of discretion in their mandated self-reporting of data breaches; the OCR did not, however, cite any evidence that critics may have given in support of an argument that covered entities had abused their discretion, and the author is not aware of any such findings.

9

See 78 Fed. Reg. 5566, 5641 (January 25, 2013).

10

45 C.F.R. § 164.402.

11

This is best illustrated by the OCR’s repeated use of a phrase to the following effect: “We emphasize, however, that the entity must evaluate all the factors, including those discussed below, before making a determination about the probability of risk that the protected health information has been compromised.”

12

The HIPAA Megarule discusses each of the enumerated new risk assessment factors, and provides examples of the OCR’s thinking on the different factors.

13

See 78 Fed. Reg. 5566, 5642 (January 25, 2013).

14

See 78 Fed. Reg. 5566, 5642 (January 25, 2013).

15

See 78 Fed. Reg. 5566, 5642 (January 25, 2013).

16

Though speculative, with backing from certain HIPAA Megarule commentary, the author posits that this is related to: (i) as the OCR notes, out of 70 comments received, 60 were supportive of the “harm standard” in the IFR; (ii) the OCR, in two separate instances, indicating its agreement with “commenters that providing notification in… [cases where the unauthorized use/disclosure is inconsequential] may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely” (See 78 Fed. Reg. 5566, pp. 5640 and 5642 (January 25, 2013)); and (iii) the OCR’s recognition that the costs of a significant shift might be extremely burdensome for both providers and the governmental entity tasked with evaluating information breaches (perhaps learning from California’s experience with its no-threshold breach notification law).